Hack-Proof

11.14.12

Don’t Pull a Petraeus! How to Guard Your Personal & Work Email

Gen. David Petraeus’s affair was busted by a shared Gmail account. From encrypting emails to instant messaging off the record and never sharing passwords, The Daily Beast’s guide to keeping your correspondence under wraps.

The news that Gen. David Petraeus had been engaging in a romantic affair with his biographer was shocking. But the revelation that a sloppy email chain led to the exposure of the former CIA director’s infidelity is particularly hard to swallow. After all, if the man in charge of U.S. intelligence can’t protect his personal emails, who can? While the scandal reinforces the message that nothing is private on the Internet, The Daily Beast consulted some experts on the best ways to shield emails from prying eyes.

Personal Email

Step one: pick the perfect password. Yes, this advice may sound like it comes straight from the first page of Using the Internet for Dummies, but it’s a tried and true rule that, when broken, gets a lot of people into trouble. Just take a few extra minutes to come up with some combination of capital and lower-case letters and numbers that’s easy enough to remember but tricky enough that anyone with some slight knowledge of your life won’t be able to guess. (Addresses, birthdates, pets' names, and the like should be avoided.)

Oh, and don’t share your password with anyone else. I know, roll your eyes if you must, but this is not obvious to everyone. Joseph Mahaffee, chief information security officer at Booz Allen Hamilton, marvels at how often people, the young in particular, share Internet passwords as a symbol of having reached a certain stage of closeness in their relationships. Mahaffee advises quashing such romantic notions, as someone you trust now may turn out to be a future foe. And there’s nothing worse than an angry ex with access to your personal emails. Just ask Gen. Petraeus.

If you have enough foresight to realize that you’d sooner die than have your emails read by anyone, you can go a step beyond creating a super secret password and make sure your emails and other correspondence are encrypted. Encryption algorithms are basically like locks on a website that block your online activities from anyone who might be snooping on an unprotected network, like when you use wifi at an airport or forget to set a password on your Internet router at home. Systems like Google, eBay, PayPal, and most banks go ahead and do this for you to ensure that you can use their services safely.

Email is not the only form of communication susceptible to investigation. These days, most high schoolers, college students, and office workers rely on some type of instant messaging system to get them through the day. One of the more popular modes of Internet communication is Google’s instant messenger, Gchat, or as the search giant insists on calling it, Google Talk. Most regular Gchatters are familiar with the program’s “off the record” setting. If not, you’d better learn it, use it, love it. Off-the-record chatting should be your best friend when it come to salacious conversations, be it online flirting, inter-office trash talking, or whatever other offensive, inappropriate, or simply embarrassing discussions you want to keep on the DL. By taking Gchats off the record, neither you nor the person you’ve been yakking with can search the conversation later in your Gmail history, as you can with on-the-record chats. Not only are off-the-record conversations unassociated with either chatter’s accounts, Google does not store off-the-record messages beyond confirming that they’ve been delivered. That means if a government official files a legal request—or even if a spouse seeking divorce obtains a civil order from a judge—to search someone’s correspondence history, off-the-record Gchats would be off limits.

If you do or say something suspicious enough to get the fuzz’s attention, chances are your Internet history will soon be up for grabs.

Of course, even if you have chosen a hacker-proof password, taken your chats off the record, and encrypted your emails, the government or police may still be able to snoop through your account if given probable cause to obtain a warrant. Getting a warrant to search someone’s email—legally considered a form of communication—is like getting permission to tap a phone line, which, as any good Wire fan knows, is no easy task. Still, if you do or say something suspicious enough to get the fuzz’s attention, chances are your Internet history will soon be up for grabs.

According to the Google Blog’s Transparency Report, government surveillance of private email is on the rise. From July through December of 2009, Google received 12,539 requests to access email accounts from government agencies worldwide. In the first part of this year, that number rose to 20,938. These requests sought access to about 34,614 Google user accounts.

Back in February, a New Yorker article used email, instant messaging, Facebook, Twitter, and other online records to detail the events leading up to Rutgers student Tyler Clementi’s suicide and the subsequent trial of his roommate, Dharun Ravi. Police and prosecutors had dug through both Clementi’s and Ravi’s online histories to build character profiles of the two college freshmen that would be used to determine what led to the young man’s death. It certainly wasn’t the first case to turn to emails or other past communication for evidence. But seeing both teenagers’ crudely written tweets, instant messages, and Facebook posts—things many of us write every day without much thought—laid out in plain text as evidence in a criminal trial offered a shocking dose of reality about just how careful we should be and typically aren’t.

Work Email

Until now we’ve been talking about personal email accounts: Gmail, Yahoo, Hotmail, or even AOL, if you’re really cool. But employer-provided email systems are a whole different animal. You may not be aware of this, but if you are employed, your contract may waive your right to privacy with regard to inter-office email. Most, though not all, do. Joseph Lorenzo Hall, senior staff technologist at the Center for Democracy and Technology, insists that employer-provided email systems are no place for personal conversations. So think twice before mocking the boss’s staff-wide memo to your coworkers or planning an interoffice romance over interoffice email. It’s all fun and games until someone gets fired, am I right?

Also keep in mind that while Google claims that if you “delete forever” emails they are inaccessible after a few days, other providers, such as Webmail, are not as clear about how or even whether emails can be permanently deleted. “For email on your machine locally (if you download your email to a computer, laptop or other device), ‘deleting’ doesn’t erase the emails but, in fact, just removes a link to the file from the operating system,” says Hall. “To permanently delete files, one has to (on a Mac) select “Secure Empty Trash” or (on Windows) you can install free secure deletion tools like Eraser. These programs not only remove the link to the files in the operating system, but also write over the old file location with random 1s and 0s.”

Hall compares emailing to “sending a glorified post card: every stop on the Internet that an email makes is an opportunity for that stop (a server) to read its contents.” Unfortunately, for the average emailer unfamiliar with the complicated “crypto tools” needed to support truly off-the-record correspondence, communicating online without leaving a trail is virtually impossible. Secure and usable tools “for normal people” are in the works, Hall says, but in the meantime, it’s best to have private conversations in person.